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Abstract 

Binary multirelations generalise binary relations by associating elements of a set to its subsets. We 
study the structure and algebra of multirelations under the operations of union, intersection, sequential 
and parallel composition, as well as finite and infinite iteration. Starting from a set-theoretic investigation, 
we propose axiom systems for multirelations in contexts ranging from bi-monoids to bi-quantales. 


1 Introduction 

Multirelations generalise binary relations in that elements of a given set are not related to single elements 
of that set, but to its subsets. Hence a multirelation over a set X is a relation of type 1x2^ and elements 
of a multirelation are pairs (a, B) with a G X and B C X. Multirelations have found applications in 
program semantics and models or logics for games that require alternation [5], that is, two dual kinds of 
nondeterministic choice. The first one occurs within individual pairs (a, B) when selecting an output b £ B 
to an input a; the second one occurs between pairs (a, B) and (a, C) when selecting an output B or C to an 
input a. 

Multirelations occur, in slightly generalised form, as transition relations of alternating automata El El 
with universal choices (a,a,B) forcing simultaneous moves from state a along u-labelled edges into all 
states in B , whereas existential choices between (a,<r, 5) and (a,<r,C) for instance, allow the selection of a 
transition from a into either B or C labelled with er. Similarly, in two-player games, moves (a, B) are made 
by an antagonist, and a protagonist must be prepared to play from each state in B ; whereas a protagonist 
can select between moves (a, B) and (a,C) [32] El 23, 24] [26]. Otherwise, in multirelational semantics of 
computing systems E H EH ESI ED] choices (a, B) are controlled by the environment (the system must be 
correct under all of them), whereas choices between ( a,B ) and (a,C) are controlled by the system (the 
system must be correct under at least one of them). Moreover, in the semantics of concurrent dynamic 
logic [El ES ESI E3 133, an element (a, B ) indicates an execution of a parallel program or component 
starting in state a and terminating in the states within 13, whereas (a, B) and (a, C) correspond to different 
executions. In these contexts, the first kind of choice is often called external , universal or demonic ; the 
second one is known as internal , existential or angelic. 

To reason about systems modelled by multirelations, modal logics such as game logics [23] [24] and 
concurrent dynamics logics [l4l l20l l28ll27l 133] have been developed. Despite its obvious significance, however, 
the algebra of multirelations itself has so far received rather limited attention—except for the special case of 
up-closed multirelations ismsiEaEaEa, which are isomorphic to monotone predicate transformers |23l . 
The general algebra of multirelations, which forms the semantics of concurrent dynamics logics and captures 
alternation in its purest form, remains to be investigated in depth. 

A first step towards taming multirelations has been an algebraic reconstruction of Peleg’s concurrent 
dynamic logic from a minimalist axiomatic basis |lfll I12j . This article takes the next steps towards ax¬ 
iom systems for multirelations in the spirit of Tarski’s relation algebra (cf. [17]). Though there are many 
similarities, this is not straightforward: the sequential composition of multirelations, for instance, is more 
complex than its relational counterpart and not associative; the parallel composition of multirelations has no 
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relational counterpart; the relational converse makes no sense for multirelations. Thus alternative axioms, 
definitions and proofs for multirelational concepts are required. 

Our main contributions are as follows. To obtain a basis for our axiom systems, we extend our pre¬ 
vious investigation of multirelational properties by new interaction laws between sequential and parallel 
composition and an explicit definition of a multirelational domain operation. We also identify several sub¬ 
classes of multirelations—sequential and parallel subidentities, vectors or terminal multirelations, nontermi¬ 
nal multirelations—and mappings between these classes (cf. Figure |T] and [2]). Based on these set-theoretic 
preliminaries we axiomatise multirelations at four different layers. 

First we expand weak bi-monoids with operations for sequential and parallel composition by sequentiality- 
parallelism interaction axioms. We define a domain operation explicitly on these c-monoids and show that 
the domain elements form a sub-semilattice in which sequential and parallel composition coincide. We show 
that previous domain axioms for sequential monoids [6] and concurrent monoids jlOj are derivable in this 
setting. 

Second, we expand c-monoids to c-trioids by adding an operation of internal choice and providing another 
interaction axiom. The domain elements now form a distributive sublattice. All concurrent dynamic algebra 
axioms mm become derivable in the presence of a Kleene star and a few more simple multirelational 
properties. 

Third, we study bounded distributive lattices with operations of sequential and parallel composition, 
to which we add different sequentiality-parallelism interaction axioms. The resulting c-lattices are also 
c-trioids, and a large number of laws can be derived in this setting. In particular, we prove that the 
algebras of subidentities and vectors are isomorphic (only sequential composition is usually not preserved) 
and characterise the subalgebras of these elements as well as that of nonterminal elements. In the latter, in 
fact, we find greater similarity to binary relations. 

Finally, we consider notions of finite and infinite iteration over multirelations in an expansion of c-lattices 
to c-quantales. Due to the lack of distributivity and associativity laws in algebras of multirelations, our results 
are weaker than those for relations. 

Because of the complexity of reasoning with multirelations and the task of minimising algebraic axiom 
systems, we have formalised all structures and proofs with the Isabelle/HOL theorem prover |21j . Our 
investigations are therefore also a study in formalised mathematics. Our Isabelle theories and a detailed 
proof document can be found online in the Archive of Formal Proofs and consulted together with our 
article. Many proofs in this article are syntactic manipulations, which may be tedious, but carry litte 
insight—consequently they are not displayed. Instead we provide human-readable Isabelle proofs whenever 
suitable and we have added pointers to the facts in this article to the Isabelle proof document. However we 
show some interesting proofs and counterexamples, as they are given, but not internally verified, by Isabelle. 

The remainder of this article is organised as follows. Section [2] provides the basic definitions, operations 
and properties of multirelations. Section [3] introduces the sets of sequential subidentities, parallel subidenti¬ 
ties and vectors and the isomorphisms between them. These are summarised in the three diagrams of Figured 
and [2j on which much of the algebraic investigation is based. It also introduces some basic properties of 
nonterminal multirelations, which do not allow any pairs (a, 0) and provides the multirelational laws needed 
for algebraic soundness proofs in later sections. Section [|] studies c-monoids, our first axiom system for 
multirelations, Section [5] and [7] introduce c-trioids and c-lattices. Section [6] explains the relationship between 
c-trioids and concurrent dynamic algebras. Definitions of a domain operation in c-lattices are presented 
in Section [5] The subalgebras of subidentities and vectors and the associated isomorphisms are studied 
in Section [9] and 1101 Functions separating terminal and nonterminal elements are defined in Section [Tl] 
and properties of these functions are presented. Notions of finite and infinite iterations for c-quantales are 
studied in Section fl2l and fldl Section H4l presents some counterexamples; Section fl5l sketches how up-closed 
multirelations arise in our setting. Finally, Section [16] presents a conclusion. 
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2 Basic Definitions and Properties 

This section follows Peleg [28] in defining the operations of sequential and parallel composition on multire¬ 
lations. Sequential composition is different from the one used for up-closed multirelations introduced by 
Parikh [33J |2D. We then outline a few set-theoretic properties of multirelations which are important for the 
algebraic developments in later sections, and we sketch some examples. 

A multirelation R over a set X is a subset of X x 2 A . We write for the set of all multirelations 

over X. The sequential composition of R, S G »/#( X ) is the multirelation 

R-S= {(a, A) | 3B. (a, B) G R A 3/. (V6 G B. (b, /(&)) G 5) A A = (J 

The unit of sequential composition is the multirelation 

la = {(x, {x}) | x G X}. 

The parallel composition of R and S is the multirelation 

R\\S = {(a, A U B) | (a, A) G R A (a, B) G 5}. 

The unit of parallel composition is the multirelation 

Itt = {(*,0) | x G X}. 


The universal multirelation over A' is 


U = {{a,A)\a£X AACX}. 

A pair ( a,B ) is in R - S if R relates a to some intermediate set C and S relates each element c G C to 
a set B c in such a way that B = U c6 c B c . This can be motivated in various ways, as discussed by 10!. 
Peleg’s original intended interpretation, for instance, associates R ■ S with the sequential composition of 
parallel programs or concurrent components, such that program R reaches the concurrent state in C from 
a in a parallel execution, after which program S reaches the concurrent state B in parallel executions from 
each state cGC, reaching concurrent sub-states B c from each of these states. Alternatively, in the context 
of computation trees based on alternation or dual nondeterminism, component R makes an internal choice 
of moving to state C, which resolves the external choices for transitions from state a and represents one 
level of the computation tree. After that, component S makes internal choices of moving from each state 
c G C to a set B c , thus resolving its external choices. The states in [J ceC B c form the next level of the 
computation tree. This interpretation reflects, for instance, the construction of a run or computation tree of 
an alternating automaton whose transitions are modelled by a multirelation. 

A pair (a, B) is in i?||5 if B can be decomposed with respect to sets C and D such that (a, C) G R and 
(a, D) G S, that is, the parallel execution of R and S from a produces the global state B. In other words, the 
external choices in R\\S arise as the union of the external choices in R and those in S from each particular 
state; whereas the internal choices are not combined. This is dual to R U S, where the union of the internal 
choices of R and S is taken while the external choices are not combined. 

A multirelation I? is a sequential subidentity if R C l a . The sequential subidentities form a boolean 
algebra with least element 0 and greatest element l a . Join is U and meet is •. The complement of a 
subidentity R is formed by the set {(a, {a}) | (a, {a}) ^ P}. A parallel subidentity is a multirelation R C l n . 
We write 

y’(X) = {R G Jt(X) | R C l a }, 3T{X) = {R G Jt{X) \ R C l w }, 

for the set of all sequential and parallel subidentities of X. The name ^(X) is justified by the fact that 
parallel subidentities can be identified with terminal multirelations; see Section [3] 
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We consider three more sets of multirelations. A multirelation R is a vector if whenever (a, A) £ R for 
some A C X, then (a, A) £ A for all A Cl. A multirelation R is up-closed if (a, A) £ R implies (a, B) £ R 
for all BAA and B C X. Finally, we define to be the complement of in ^(X ). We write 

f(X) = {R£ JZ(X) | (BA C X.(a, A) £ R) =$■ (VA C X.(a, A) £ R}, 

W(X) = {R£ Jt(X) |VACI,SC X.((a, A) £ R A A C B => (a, B) £ R}, 

Jf(X) = {R£ Jt(X) | R C T^}. 

The elements in ^V(X) are called nonterminal multirelations; see again Section [3] 

Multirelations form proto-dioids [10], which are defined in Section [5] At this stage it suffices to mention 
the following laws. 

R\J(SUT) = (RUS)UT, RUS = SUR, R U 0 = R, R U R = R, 
(R-S)-TCR-(S-T), 1 a -R = R, R-l a =R, 

R-SUR-TCR-(SUT), (RU S) -T = R-TU S T, $-R = R, 

J?||(5||T) = (i?||5)||T, R\\S = S||i?, 1„|| R = R, 

R\\(SUT) = R- SUR-T, 0||i? = 0, 

(R\\S)-TC (R-T)\\(S-T). 

Sequential composition is not associative and R ■ 0 is generally not 0. More generally, pairs (a, 0) £ R persist 
in any sequential composition R ■ S —whence the name terminal. 

Sequential subidentities satisfy stronger properties. First of all (R ■ S) ■ T = R ■ (S ■ T) if one of R , S , T 
is in y(X). Second, R ■ (S UT) = R ■ S U R ■ T ii R £ y(X). 

The interaction between sequential and parallel composition is captured by the following properties, 
among others. 

Lemma 2.1. Let R £ S?(X ) and S £ £T(X). Then 

1. = R, 

2. S\\S = S, 

3. U\\U = U, 

4■ f 7r II 17T 1-7T ■ 

The proofs follow immediately from the definitions. 

Lemma 2.2. Let R,S,T £ ^(X). Then 

1. (R • ) ||1? = R, 

2. T\\T CT => (i?||5) T = (R-T)\\(S ■ T), 

3. (R\\S)-T=(R-T)\\(S-T), ifT £ S?(X) U ST(X) U {U,T„}, 

4- R-(S\\T)C(R-S)\\(R-T), 

5. R-(S\\T) = (R-T)\\(R-T), ifR£S'(X), 

6. R ■ (S ■ T) = (R ■ S) - T, if one of R, S, T is in S*(X) U &(X), 

7. (R n S) ■ T = R ■ T n S ■ T, if R, S £ S?(X). 

We present one example proof to illustrate the style of reasoning with multirelations. 


4 


Proof. (Lemma [5Z3,2)) T\\T C T implies that 

(a, B) G T A (a,C) G T => (a, B U C) G T 

holds for all a G X. Therefore 

(a, A) G (B • T)||(5 • T) 

^ 3B, C. A = BUC A (3B. (a, D) € R A 3/. (Vd G B. (d, /(d)) G T) A B = |J /(B)) 

A (3E. (a, E) G S' A 3#. (Ve G E. (e, 5 (e)) G T) A C = (J g(E)) 
o3D,£. (a, BUB) G R\\S A 3/, 5 . (Vd £ D,e £ E. (d,/(d)) GTA(e,j(e)) G T) 

A A = |J /(B) U 3 (B) 

=> 3D, E. (a, BUB) G R\\S A 3/, g. (VdGB-B,eGB-B,iGBnE. 

(d, /(d)) GT A (e, 5 (e)) GT A (a;, (/ U g)(x)) G T) 

A A = (J f(D - B) U g(E -B)U(/Uj)(BU B) 

O 3B, B. (a, B U B) G i?||5 A 3d. (Vd G B U B. (6, d(d)) G T) A A = (J h(D U B) 

^ 3B. (a, B) G B||S A 3d. (Vd G B. (d, d(d)) G T) A A = (J d(B) 

(a, A) G (BUS) -T. 

The third step uses the assumption T\\T C T; the fourth one uses the function 

{ f(x) if x € D — E, 

(/ U g)(x) if iGflflB, 

5 (x) if x G B — B. 

The converse inclusion has been proved in m- □ 


3 Subalgebras and Isomorphisms 

This section studies the relationship between the sets of sequential subidentities, parallel subidentities and 
vectors as well as the special case of nonterminal multirelations. We use these sets and their relationships to 
extract algebraic axioms for multirelations in later sections. Most of the properties outlined in this section 
are verified rigorously in the algebraic setting of later sections. 

The constants 1 CT , l ff , 0, U and play an important role in our considerations. The first lemma of this 
section describes their action on multirelations. 

Lemma 3.1. LetRG^C(X). Then 

1. R-1„ = {(a, 0) | 3B. (a,B) G R}, 

2. R n 1*. = B • 0 = {(a, 0) I (a, 0) G B} ; 

3. R n la = {(a, {a} | (a, {a}) G B}, 

4. R ■ U = {(a, A) | A = 0 A (a, A) G B} U {(a, A) \ 3B ± 0. (a, B) G B}, 

5. R\\U = {(a, A) | 3B. (b,B)gBABC4}. 
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The proofs are straightforward. Intuitively, R ■ replaces every pair (a, A) G R by (a, 0), overwriting A 
by 0, whereas Rd l v and R • 0 both project on the pairs (a, 0) G R. The multirelation RC\l a projects on 
the pairs (a, {a}) G R; and the product R\\U computes the up-closure of R. Thus 


y(X) = {RG Jt{X) 

y(x) = {rg jz{x) 

Y[X) = {Rg Jt{X) 
&(X) = {RG Jt{X) 
jY{X) = {R G J{[X) 


R n l fj —■ R}, 

R • In = R}, 
(R-U)\\U = Rj, 
R\\U = R}, 
Rnu = R}. 


The functions (filer) = Xx. x f 1 CT , (-b) = Xx. x ■ W, (|| U) = Xx. x\\U, whose fixpoints determine the 
sets y(X), y(x) and X(X), and the map (•[/) = Xx. x ■ U play an important structural role. When 
specialising their sources and targets to y(X), "V{X) or X7(X) they serve as bijective pairs showing that 
these sets are isomorphic. More precisely, the maps in Figure (T] are isomorphisms, and we verify this fact 
in Proposition 110.11 Under the source and target restrictions indicated, each function in the diagram is 


■U) 


y(x ): 




(m 



Figure 1: Isomorphisms between y(X), SX{X) and y{X) 

bijective and pairs of functions between the same sets compose to identity maps of the appropriate type. 
The isomorphism between (X) and y(X) is well known in the setting of binary relations; the same maps 
are used for implementing it. The isomorphisms with AX(X) are particular to multirelations. More generally 
it can be shown that all triangles in this diagram commute. 

The pair (||lo-) o (-I*.) = ly(x) generalises to a map Xx. (x ■ 1^)|jlo- : ^(X) —>■ y(X). Applied to a 
multirelation R , the function (T^) overwrites any A in a pair (a, A) G R by 0; the function (||1 CT ) further 
overwrites it by {a}. In other words, 

(R ■ bOUU, = {(a, {a}) | 3 B.[a, B) G R}, 

which represents the domain of R. We can thus define the domain of a multirelation explicitly as 

d(R) = (i?-l 7r )||l ff , 

that is, the following diagram commutes. 


J((X) 


■U) 


nx) 



( 111 .) 


y(x) 
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Figure 2: Isomorphisms between JT'(X), 4?(X) and y(X) for general and nonterminal multirelations 


Moreover, d(R) = R<1 l a if R £ Y(X) and d(R) = R\\l a if R £ X ), such that the maps (fllo-) and (||lcr) 
in Figure [l]can be replaced by d. The result is shown in the left-hand diagram of Figure [2] The right-hand 
diagram shows the situation restricted to nonterminal multirelations. The sets of sequential subidentities, 
parallel subidentities and vectors remain isomorphic, but in the bijections, replaces U. In addition, vectors 
are now obtained by (T x ) : ^#( X ) —> Y{X) similarly to binary relations. 

The following properties can be justified from these diagrams; they are needed for verifying soundness of 
the algebraic axioms in later sections. 

Lemma 3.2. 1 . ((.R ■ 1*)||1 (T ) • S = (.R • 1„)||£, 

2. R-KQ In, 

3. R-lnUR-ln = R-U, 

4 - l w n(i?Ul T ) = R-0, 

5. ((Rni tr )-i„)\\i <T = Rni tr , 

6. ((R nl w ) • l^llu = i a n (RnT^) -T n , 

7. ((RhItt) ■ ItOHU = (RnT w ) - in. 

Equation (1) states that d(R) ■ S = (R ■ 1 T )||S, generalising commutation of the diagrams (•[/) o d = 
(||J7)o(.l w ) and (-l ff )o d = (||l 7 r )o(-l 7r ) in Figure[5]to (-S)od = (||S)o(-l 7r ). For S = l a , (1) specialises to the 
explicit domain definition d(R) = ( R ■ 1^)111^. Equation (2) reflects the fact that R- In & 3 / {X). Equations 
(3) and (4) arise from the fact that 1and l w are complements. Equation (5) states that d(R) = R 
for all R £ S*(X), which is the isomorphism condition (||lo-) o (-1 T ) = l^(x)- Equation (6) states that 
d(R) = l a O R ■ l n for all R £ ^Y(X), that is, the diagram d = do (- 1 ^) = (nl CT ) o commutes. This 
domain definition is analogous to the relational case; however it does not generalise to ./# (X). Equation (7) 
states that d(R) ■ l w = R ■ l w for all R £ jY{X~), that is, the diagram (T w ) = (-I*.) o d commutes. Again, 
this reflects a relational fact, which does not generalise to ,/^{X). 

The domain of a binary relation can be defined explicitly as well: either as d{R) = 1 n R ■ U or as 
d(R) = 1 (~l R ■ R "', where 1 denotes the identity relation, U the universal relation and R w the converse of R. 
However, for R = {(a, 0)}, we have l a fl R ■ U = 0 C {(a, {a})} = d(R) and the converse of a multirelation 
does not seem to make sense. 
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4 c-Monoids 


We now introduce a first axiom system for multirelations in a minimalist bi-monoidal setting, where only 
sequential and parallel composition and the corresponding units are present. It allows us to use the explicit 
domain definition 

d(x) = (x ■ l w )\\l a , (d) 

which has been verified in the multirelational model, to derive domain axioms similar to those for domain 
monoids 0, and to verify some properties of the (X). S^(X), S?{X) triangle. 

A proto-monoid is a structure (S, •, 1 CT ) such that l a -x = x = x- l a holds for all x £ S. Hence composition 
is not required to be associative. A proto-bi-monoid is a structure (S, •, ||, \ a , l ff ) such that (S, •, 1 CT ) is a proto¬ 
monoid and (S, ||, 1 ^) a commutative monoid. A concurrent monoid ( c-monoid ) is a proto-bi-monoid that 
satisfies the axioms 


(x ■ l n )\\x = x, (cl) 

((* ‘ I 71 -)||ler) - y = {x ■ I 71 -)||z/, (c 2 ) 

{x\\y) ■ l n = {x ■ l ff )||(y • lvr), (c3) 

(x ■ y) ■ 1„ = x ■ {y ■ Itt), (c4) 

1 cr 111 cr — 1(T- (c5) 


These axioms are sound with respect to the multirelational model. 

Proposition 4.1. („-#(AT), •, ||, 1 CT , 1^) forms a c-monoid. 

Proof. The following axioms have been verified in the following Lemmas: (ED in E2tl); ED inlUl); ED 
in 12.21 21 and 12. If 2b (Icil) in l2.2f 6b (E5l) in 12.If 1). □ 

Next we prove a property that is crucial for showing closure of subalgebras. 

Lemma 4.2. In every c-monoid, the maps d and (T,r) = Xx. x ■ l n are retractions, that is, d(d(x)) = d(x) 
and (x ■ ljr) • l,,- = x ■ 1^. 

It is a general property of a retraction / : X — > X that x £ f(X) f(x) = x, where f(X) is the image 
of S under /. For every c-monoid S we define the sets of domain elements and terminal elements 

d(S) = {a; £ S \ d(x) = x}, S ) = {x £ S \ x ■ 1 % = x} 

and use the hxpoint characterisations d{x) = x and x • l n = x for typing their elements. Sets of sequential 
subidentities, vectors and nonterminal elements, however, cannot yet be expressed in the c-monoid setting. 

Lemma 4.3. In every c-monoid, 

1. d{x) - y = {x- ln)\\y, 

2. d{:x • 1 w )-y=(x- lir)\\y, 

3. d(x) ■ 1„ = x • In, 

4- d(x ■ l n ) = d(x), 

5. Itt • In - 1-7T; 

6. d( In) = la. 
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Properties (1) and (2) paraphrase axiom (Ic^l) . In particular, (2) implies that d(w) = rc||l CT for each 
w € &{S). These facts are shown in the left-hand subdiagram of Figure [2] below. Properties (3) and (4) 
correspond to the right-hand subdiagram. 


A-^ d(S ) 

(■M (-y) 

y(s) -^ s 

(lly) 


•i. 


^(S) 




d(S) 


We can now show that the sets d(S) and £?(S ) are isomorphic. 


Proposition 4.4. Let S be a c-monoid. The two functions d : ^(S) —>• d(S) and (-1^) : d(S) —» S ) form 

a bijective pair; the following diagrams commute. 



d(s) ——- d(s) &(s) -—- ns) 

^d(s) ir(s) 


Therefore d(S) “ £T{S). 

Proof. Functions are bijections if and only if they are invertible. It therefore suffices to check that d(d(x) ■ 
Itt) = d(x) and d(x ■ l ff ) • l n = x ■ 1„, which follows directly from Lemma 14.31 31 and (4) or from commutation 
of the associated diagram. □ 

Next we derive the domain axioms proposed in [B], 

Proposition 4.5. In every c-monoid, 

1. d{x\\y) = d(x)\\d(y), 

2. d(x)\\d(y) = d(x) ■ d(y), 

3. d{x) ■ x = x, 

4■ d(x ■ d(y)) = d(x ■ y), 

5. d(d(x) ■ y) = d(x) ■ d(y), 

6. d(x) ■ d(y) = d(y) ■ d(x), 

7. d(l a ) = l a . 

All axioms (ETl) - (lc5l) are needed in these proofs. Isabelle/HOL generates counterexamples in their absence. 
Equations (1) and (2) are domain proto-trioid axioms |10j . which are part of the axiomatisation of concurrent 
dynamic algebras; the others are domain monoid axioms [5]. 

We can now characterise the subalgebra of domain elements, whereas the c-monoid axioms are too weak 
to characterise that of parallel subidentities. 

Proposition 4.6. Let S be a c-monoid. Then d(S) forms a sub-semilattice with multiplicative unit l a in 
which sequential and parallel composition coincide. 

Proof. The closure conditions are verified by checking d(d(x) ■ d(y)) = d{x) ■ d(y), d(d(x)\\d{y)) = d(x)\\d(y) 
and d(l a ) = l a . Sequential and parallel composition of subidentities coincides due to Lemma rOl 2b It 
remains to check that sequential composition of domain elements is associative, commutative and idempotent, 
and that 1 CT is a multiplicative unit. □ 
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Depending on the order-dual interpretations of sequential composition as join or meet, 1 CT becomes the 
least or greatest semilattice element. As similar result has been established in but the proof does not 
transfer due to the lack of associativity of sequential composition. Next we derive three interaction laws. 

Lemma 4.7. Let S be a c-monoid. For all x,y £ S, w G d(S) and z G ^(S), 

1. z\\z = z, 

2. w||u; = w, 

3. w ■ (x\\y) = (w ■ a:)||(w ■ y). 

Finally, we refute additional interaction and associativity laws. 

Lemma 4.8. There are c-monoids in which, for some elements x, y and z, 

1. (ally) • d{z) ± (x ■ d{z))\\(y ■ d(z)), 

2. (x-y)- d(z) t l x-(y- d{z)), 

3. l n • x ^ 1 *.. 

Isabelle’s counterexample generator Nitpick presents counterexamples m■ Since they are not very 
revealing, we do not show them. 


5 c-Trioids 

This section considers variants of dioids, that is, additively idempotent semirings, endowed with a sequential 
and a parallel composition and with additional interaction laws between these operations. Our intention 
is to derive the domain axioms of concurrent dynamic logic [28i from the explicit domain definition (d) in 
a minimalist setting. We cannot expect to prove more properties from Figure [2] since neither a maximal 
element U nor a meet operation is available. 

A proto-dioid [10] is a structure (S, +, , 0, \ a ) such that (S, +, 0) is a semilattice with least element 0, 
(S, -, 1 (j ) is a proto-monoid, and the following axioms hold: 

x ■ y + x ■ z < x ■ (y + z), (x + y) ■ z = x ■ z + y ■ z, 0 • x = 0. 

The relation < is the standard semilattice order defined &sx<y<&x + y = y. A dioid is a proto-dioid in 
which multiplication is associative and the left distributivity law x • (y + z) = x ■ y + x ■ z holds. A dioid 
is commutative if multiplication is. A proto-trioid is a structure (S, +, -, ||, 0, l a , 1 T ) such that (S, +, ■, 0,1 CT ) 
is a proto-dioid and (S,+, ||,0, l ff ) a commutative dioid. In every proto-dioid, multiplication is left-isotone, 
that is, x < y =>■ z ■ x < z ■ y. Moreover, every proto-trioid is a proto-bi-monoid. 

A concurrent trioid ( c-trioid) is a proto-trioid in which the c-monoid axioms and 


x : ■ 1-tt < Itt (c6) 

hold. Independence of the axioms has been checked with Isabelle/HOL’s automated theorem provers and 
counterexample generators. 

Proposition 5.1. U, •, ||, 0, l a , \ v ) forms a c-trioid. 

Proof. The proto-trioid axioms have been verified in |10j ; the c-monoid axioms in Proposition 14.11 and 
Axiom (lc6l) in Lemma T3. 21 21. □ 
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cT 




cM 



pD pbM 


pM 

Figure 3: Class inclusions for proto-monoids (pM), proto-bi-nronoids (pbM), c-monoids (cM), proto-dioids 
(pD), proto-trioids (pT) and c-trioids (cT) 

In the setting of a c-trioid S we can now define 

S*(S) = {x e S I X < 14, yK(S) = {x e 5 | x • 0 = 0}. 

It turns out that d(S) C df(S), whereas the converse inclusion need not hold. For S' = 0 and trioid operations 
defined by 0 < l n < i G and 1^-1^ = l v (remember that lo-1|la- = lo- is an axiom) we have < 1 CT , but 

d(u) = (u-u)\\i a = i4i a = i a ^u. 

Similarly, &(S) C {x G S | x < l w }, whereas the converse inclusion need not hold. For S = 0 and trioid 
operations defined by 0 < l a < and 1^-1^ = we have l a < l ff , but 1^ • = l,r 7^ 1 CT . 

This shows that, for c-trioids, the relationships between subidentities, domain elements and fixpoints of 
(•l w ) are not as tight as expected. The set =/F(S) of terminal elements is studied in more detail in later 
sections. However we can derive the domain proto-trioid axioms of jlOj . 

Proposition 5.2. Every c-trioid satisfies the domain axioms of domain proto-trioids. 

Proof. Every c-trioid is a c-monoid, hence the properties from Section 2] hold. The following domain axioms 
of domain proto-dioids must be verified: 

• x < d(x) ■ x , which holds by Proposition I4.5l 3~): 

• d(x ■ d(y)) = d(x ■ y), which holds by Proposition 14.51 41: 

• d(x\\y) = d(x)\\d(y), which holds by Proposition 14.51 1) : 

• d(x)\\d(y) = d(x) ■ d(y), which holds bv 14.51 21: 

• d(x + y) = d(x ) + d{y), which holds by right distributivity of • and ||; 

• d{x) < 1 CT , which follows from (IcCT) : 

• d(0 ) = 0, which is immediate from the domain definition. 


□ 

This does not mean, however, that every c-trioid is a domain proto-trioid: additional axioms are assumed 
in the latter class. The relationship between c-trioids and concurrent dynamic algebra is discussed in detail 
in Section [G] 

Proposition 5.3. Let S be a c-trioid. Then d(S ) forms a bounded distributive lattice with least element 0 
and greatest element 1 CT , and in which sequential and parallel composition coincide. 
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Proof. First, by Proposition ^. 61 d(S) forms a meet semilattice, and it is clear that l a is the greatest element 
with respect to the semilattice order. 

Second, the closure condition for 0 has already been checked in the proof of Proposition l5.2l and d(x + y) = 
x + y holds for all x, y G d(S) by domain additivity and idempotency. Thus d(S) is a join semilattice with 
respect to + and 0 is the least element with respect to the semilattice order. 

Third, for all x,y,z G d(S), the absorption laws and distributivity laws x + x ■ y = x, x ■ (x + y) = x, 
(x + y) ■ z = x ■ z + y ■ z and x + y ■ z = {x + y) • (x + z) must be verified. □ 

Once more, this result is similar to that for domain proto-trioids [10], but proofs need to be revised due 
to different axioms. 

Finally sequential composition of domain elements and parallel composition of parallel subidentities are 
greatest lower bound operations, hence meets. 

Lemma 5.4. Let S be a c-trioid. Then 

1. z<xAz<y^Az<x-y, for all x,y,z G d(S), 

2. z<xAz<yAAz< x\\y, for all x,y, z G 31(S). 

6 Concurrent Dynamic Algebra 

This section explains the relationship between c-trioids and concurrent dynamic algebras, as formalised 
in |10j . In every proto-monoid or proto-trioid S with a domain operation, a modal diamond operation can 
be defined as 

(x)p = d{x ■ p) 

for all x G S and p G d(S). In the setting of c-trioids, some, but not all, of the concurrent dynamic algebra 
axioms can be derived. 

Here we call strong c-trioid a c-trioid S which satisfies, for all x,y G S and p G 5 

{x\\y) - P= (x-p)\\(y-p), 

(p-x)-y=p-(x-y), (x -p) ■ y = x ■ (p-y), (x ■ y) ■ p = x ■ (y ■ p). 

A strong c-Kleene algebra is a strong c-trioid expanded by a star operation which satisfies, for all x,y G S 
and p G J^(5), 

l a + x ■ x* < x*, p + x- y<y^x*-p<y, (x ■ p) ■ z = x ■ (p ■ z). 

Soundness has been shown in m- 

Lemma 6.1. In every strong c-trioid, the following concurrent dynamic algebra axioms are derivable. 

1. (x + y)p = { x)p + (y)p, 

2. {x -y)p= (x)(y)p, 

3. (p)q = p ■ q, 

4■ ( x\\y)p = {x)p ■ {y)p. 

Lemma 6.2. In every strong c-Kleene algebra, the remaining concurrent dynamic algebra axioms are deriv¬ 
able as well. 

1. p+(x){x*)p = (x*)p, 

2. ( x)p < p =>■ (x*)p < p. 
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dpbKA 



dpKA 




cT + 




cT 



dpD 


pT 



Figure 4: Class inclusions including domain proto-dioids (dpD), domain proto-trioids (DpT), strong c-trioids 
(cT + ), domain proto-Kleene algebras (dpKA), domain proto-bi-Kleene algebras (dpbKA) and strong c-Kleene 
algebras (cKA + ) 


Hence every strong c-Kleene algebra is a concurrent dynamic algebra. The resulting subclass relationships 
are shown in Figured] 

The following counterexample shows that the additional axioms are necessary. 

Lemma 6.3. In some c-trioid, 

1. (a;||y) • d(z) f(x ■ d(z))\\(y ■ d(z)), 

2. (x-y)- d(z) ± x ■ {y ■ d(z)), 

3. {x ■ y)p ^ (x) (y)p, 

4- < x\\y)p ± {x)p ■ (y)p. 

Proof. 1. Let S = {a} and let the trioid operations be defined by 0 < 1„ < l a < a and the tables for || 
and •; from which d can be computed. 


II 

0 

U 

1 a a 



0 

In 

la 

a 


d 

0 

0 

0 

0 0 


0 

0 

0 

0 

0 

0 

0 

u 

0 

K 

1 £7 ® 


In 

0 

u 

In 

In 

In 

la 

la 

0 

la 

lfT ® 


la 

0 

In 

la 

a 

la 

la 

a 

0 

a 

a a 


a 

In 

In 

a 

a 

a 

la 

Then (a||l T ) • d( 0) 

= a 

0 = 

W0 = 

M|0 = 

(a- 

0)11(1 

n'O) 

= 

(a • d(0))||(l 7r • 

dm- 

With the same counterexample as in 

(!),(«• 

1*) 

0 = 

In'O 

= 

0 ^ l,r = a • 0 

= a • 

(In 


3. Again, with the same counterexample, (a-l 7r )0 = d((a-l w )-0) = d( 0) = 0 ^ l a = d(l n ) = d(a-d( 1^-0)) = 
(o)(U)0. 

4. Once more with the same counterexample, (a||l 7r )0 = d((a||l 7r ) • 0) = d(l n ) = l a ^ 0 = d( 0) = 
d((a-0)||(l ff -0)) = <o)0 -(l w )0. 
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7 c-Lattices 


We have seen that c-monoids and c-trioids do not capture all isomorphisms between sequential subidentities, 
parallel subidentities and vectors outlined in Section [3] In addition, they are too weak to link the c-monoid- 
based domain definition with the alternative ones presented in the same section. A meet operation, and 
more specifically a bounded distributive lattice structure, is needed for this purpose. 

A c-lattice is a structure (S, +, n, •, ||, 0,1 CT , 1^, U, l w ) such that (L, +, n, 0, U) is a bounded distributive 
lattice with least element 0 and greatest element U , (S, +, •, ||, 0, 1 CT , l n ) is a proto-trioid and the following 
axioms hold. 


x ■ + x ■ Itt = x ■ U, (ell) 

bn(a:+ l w ) = x ■ 0, (cl2) 

x-(y\\z)<(x-y)\\(x-z), (cl3) 

z\\z <z=> (®||y) ■ z = (x ■ z)\\(y ■ z), (cl4) 

x ■ (y ■ (z -0)) = (x ■ y) ■ (z ■ 0), (cl5) 

(x ■ 0 ) • y = x ■ (0 • y), (cl 6 ) 

1(7 || 1(T “ 1(7? (d7) 

{{x • l w )|| l a ) ■ y = (x ■ u)\\y, (cl 8 ) 

{{xni a )-u)\\i a = xni a , (cl9) 

((xnT,,) • 1^)111^ = U n (x riT w ) ■ l n , (cllO) 

((xnT f ) • 1 W )||I W = (xnI T ) -V (clll) 


Axiom (Iclll) and (Icl2l) imply that l ff and l w are complements, that is, 

Itt + In- = U, It n ljr = 0. 

In addition, (Icl2l) implies that x n l n = x ■ 0. 

The axioms (Icl3l) - (lcl6l) express associativity and interaction properties. Further associativity properties 
for sequential and parallel subidentities as well as for U hold in the multirelational model, but those are 
either derivable or not directly needed for the main results in this article. We mention them explicitly 
whenever they occur. Axioms (Icl7l) and (IclSl) are taken from c-monoids. Axiom (lc!9ll can be written as 
d(x n l a ) = x n 1 ( 7 ; it expresses one of the isomorphism conditions from Figure [2] Axiom (IcllOl) can be 
written as d{x n 1 T ) = l a n (x n l ff ) • l v . Axiom imp can be rewritten as d(x n 1 T ) • l x = (x n l ff ) • l n . 
These domain properties are reminiscent of the relational case and have been motivated in Section [3] 

We have used Isabelle’s counterexample generators to analyse irredundancy of these axioms. However, 
due to their large number, this was not always successful. Whether the set of axioms can be compacted 
further remains to be seen. 

Proposition 7.1. Every c-lattice is a c-trioid. 

It follows that every c-lattice is a c-monoid. Next we prove a soundness result. 

Proposition 7.2. (^(X), D, •, ||, 0, 1 CT , l n , U, l n ) forms a c-lattice. 

Proof. We have verified the proto-trioid axioms in Proposition 15. 11 Axioms (Icl3l) - (lcl6l) in LemmaAxioms 
(Icl7l) and (IclSl) in Proposition l4.ll and the remaining axioms in Lemma 13.21 □ 

We call a c-lattice boolean if its lattice reduct forms a boolean algebra. It is easy to see that multirelations 
form in fact boolean c-lattices. Moreover, infima and suprema of arbitrary sets exist in the algebra of 
multirelations, and an infinite left distributivity law for sequential composition with respect to suprema and 
infinite left and right distributivity laws for parallel composition with respect to suprema hold. Multirelations 
therefore form quantale-like algebras. This is further explored in Sections fl2l and fl3l 
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For a c-lattice S we can now define also 


'f ( S ) = {x G S | (x • l„.)||f7 = x}, (S) = {x G S \ x\\U = x}. 

Lemma 7.3. Let S be a c-lattice. Then 

1. d(S) = y(S), 

2. ^{S) = {x G 5 | x < l n } = {x G S' | x • 0 = x}, 

3. V(S) = {x G S | d(x) -U = x}, 

4■ S ) = {xG5|xnl 7r = 0} = {xGS'|x< ljr}. 

More specifically, d(x) = x if and only if x < l a , x ■ 1^ = x is equivalent to each of x < and x ■ 0 = x, 
(x • c)\\U = x if and only if d(x) ■ U = x, and x • 0 = 0 is equivalent to each of x fl 1 T = 0 and x < l n . 
This correspondence between subidentities, domain elements and terminal elements captures that in the 
multirelational model. 

The next three lemmas collect some basic properties of c-lattices. 

Lemma 7.4. Let S be a c-lattice. Then 
1. (x -y) ■ z = x • (y ■ z), if z G &{S), 

(x ■ z)\\(y ■ z) = (x|| y) ■ z, if z G &(S) uy(S), 

3. x < x\\x, 

4■ X n y < x|| y. 

Lemma 7.5. Let S be a c-lattice. Then 

1. x = (x n In) + x • 0, 

2. x < In, if X G 5^{S), 

3. (x • u) n Ijr = (x • 0) n = (x n T t ) -0 = 0. 

Lemma 7.6. In every c-lattice, 

1. l v = U-0, 

2. U\\U = U ■ U = U ■ In = In ■ U = U, 

3. In ' X — In ' 1 n — U * 1 n = I7r? 

4- ln\\ln = U\\ln =Tn -U = U- 

Property (1) gives an explicit definition of 1^. Some of the other properties have already been stated in 
Lemma l3.1l in the multirelational model. It follows that all constants are sequential and parallel idempotents. 

The final lemma of this section collects further simplification and decomposition properties that are 
interesting for domain definitions. 

Lemma 7.7. In every c-lattice, 

1. x ■ y = (x n In) - y + x ■ 0, 

2. i CT n (x n 1^) • y = i CT n x ■ y, 

3. i a n x ■ h = i ff n x -U, 
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4- i<t n x\\in = i a n x\\U, 

5. (x • l 7r )||I 7r = (x nT*) -I*. + (x • 0)||I T , 

6. (x-U)\\U = x-U+ {x-0)\\U. 

Equations (2), (3) and (4) can be visualised by the following subdiagrams of Figure [21 


(nl ff ) (-y) 

S —^V(S) > ■ 5 






{■y ) 


s- 


(ni 0 


(ni.) ( -U) 

■^(5) 


(nia) (II U) 


(ni<7) 


y(S) 


s- 


(niff) 


(ni 0 


y(S) 


8 Domain in c-Lattices 


This section presents explicit domain definitions and related properties for general and nonterminal elements. 
First, using d{x) = (x ■ Itt) ||lo-, recall that we can rewrite some of the c-lattice axioms: 


d(x) ■ y = (x • l n )\\y, (cl8) 

d{x n l a ) = x n Iff, (cl9) 

d(xnT n ) = i a n (rnh) -T n , (clio) 

d{x n 1^) • i„ = (x n l v ) ■ l n . (dll) 


Properties (IcllOl) and (Icllll) are visualised by the following subdiagram of Figured 


(■!*) 

jY{S) - 

y(s) 

These two identities admit the following variations. 

Lemma 8.1. In every c-lattice, 

1. d(U) = d{ 1„) = Iff, 

2. d(x n ) = iff n x ■ i n , 

3. d{x n l n ) —■ Iff I I (x I I Ft) • U, 

4■ d(x n Itt) = Iff n X ■ U, 

5. d{x n T*.) = iff n ((x n T OT ) ■ i w ) ||I W , 

6. d(xni n ) = iff n ((xnF) ■ i w )\\U. 

Identity (5) corresponds to another subdiagram of Figure [21 


(• 1 „) 

jV{S) — 


d 

y(S) 


(niff) 


IM 

n^{s)) 
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The remaining properties are obtained by combining the diagrams for (IcllOl) . Jell 111 and (5) with those for 
Lemma r m Equation (3), for instance, corresponds to the following commuting diagram. 


('M 



Since d(x) = d{x n l n ) + d(x ■ 0) by Lemma 17.41 and Proposition 15.21 we can generate explicit definitions 
of d(x) by inserting those for d{x n l n ) and d(x ■ 0), for instance 

d(x) = (l a H x ■ U) + (x ■ 0)||1 CT . 

This explains, in particular, the difference between relational and multirelational domain definitions. We 
can also use the various definitions of d{x n L) and d(x • 0) to generate more compact definitions. 

Lemma 8.2. In every c-lattice, 

1. d(x) =l a \l(x- 1^)111^, 

2. d(x) = l a r\{x- 1^)1117, 

3. d(x) = (l,r n X • U) lifer. 

These identities correspond to the following commuting subdiagrams of Figure [2] 



Finally we mention some variations of Axiom llcll 111 . 
Lemma 8.3. In every c-lattice, 

1. d(x n 1^) • U = (ill l n ) • U, 

2. d(x) -T n = (x nT^) -T*. + (x ■ 0)111^, 

3. d(x) -U = (xn l n ) ■ U + (x ■ 0)\\U, 

4■ d(x) ■ U = x ■ U + (x ■ 0)||f/, 

5. x ■ l w = d(x n 1^) -l n + x -0. 

6. x ■ U = d(x n l,r) ■ U + x • 0, 

7. d(x ■ U) = d(x ■ Itt) = d(x). 
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9 Subalgebras of c-Lattices 

This section studies the structure of the subalgebras of sequential subidentities, parallel subidentities, vectors 
and nonterminal elements. First we consider the set y(S) of sequential subidentities of a c-lattice S. We 
can freely identify subidentities with domain elements and use results for d(S) from Section [8] 

Proposition 9.1. Let S be a c-lattice. The set y(S) forms a distributive lattice bounded by 0 and 1 CT , and 
in which sequential and parallel composition are meet. It forms a boolean algebra if S is boolean. 

Proof. Relative to Proposition 15.31 it remains to check that 5 fi (S) is closed under meets and that meet 
coincides with multiplication in this subalgebra. Meet closure follows from d(pUq) = pUq for all p,q G y(S). 
Sequential composition of domain elements is a greatest lower bound operation in y(S) by Lemma l5.4f 4h 
Hence it coincides with meet and parallel composition. Finally, if S' is a boolean algebra with complement 
x for each x G S, we define complementation on S?(S) by / = l 5 ni. □ 

Proposition 9.2. Let S be a c-lattice. The set f?(S) forms a sub-c-lattice bounded by 0 and 1in which 
parallel composition is meet, and in which all x G IX (S) are right units of sequential composition. It is 
boolean whenever S is. 

Proof. First, parallel composition of terminal elements is a greatest lower bound operation on IX (S) by 
Lemma I5.41 71. It therefore coincides with meet. Second, the c-lattice operations are closed: 0-0 = 0, 
Itt- 0 = l ff) x-O + y-O = (x + y) -0, (x • 0) n (y • 0) = (ajny)-O, (a: - 0) || (2/ • 0) = (a;||y)-0 and (x • 0) • (y ■ 0) = z-0. 

Thus IX (S) forms a c-lattice bounded by 0 and Iff. By (x • 0) • (y ■ 0) = x ■ 0, sequential composition is 
a projection, hence every terminal element a right identity. Finally, for every boolean c-lattice S, the set 
IX (S) forms a boolean subalgebra with complementation defined similarly to the sequential case. □ 

The subset 'V (S) of vectors of a c-lattice S does not have such pleasant properties. In particular, vectors 
are not closed under sequential composition. With x G Y(S) if and only if d(x) ■ U = x it is easy to see that 
U G y(S) and 0 G y(S), whereas U ■ 0 = 1*-^ 'X(S). In addition, vectors in c-lattices need not be closed 
under meets, whereas this is the case in the multirelational model, where (R (1 S) ■ T = R ■ T fl S ■ T holds 
for R,S G IX(X). At least we have the following closure properties. 

Lemma 9.3. In every c-lattice, 

1. d(0) -U = 0 and d(U) -U = U, 

2. d(x) ■ z + d(y) ■ z = d{x + y) ■ z, 

3. {d{x)-U)\\{d{y)-U) = d{x\\y)-U. 

Finally we consider the subset ^T(S) of nonterminal elements, where the analogy with binary relations 
is more striking. 

Proposition 9.4. Let S be a c-lattice. The set <yT(S) forms a sub-c-lattice of S without parallel unit in 
which 0 is a right annihilator of sequential composition and the maximal element. It is boolean whenever 
S is. 

Proof. It needs to be checked that On Iff = 0, 1 CT n 1*- = l a and that (x + y) niff = x + y, (x n y ) n l w = x n y, 
(x ■ y) n Iff = x ■ y, (x\\y) nl x = x\\y hold for all x, y G ^V(S). 

Also, in every non-trivial algebra, Iff 0 ^P(S). Finally, (x n l v ) ■ 0 = 0 by Lemma 1731 31 and l w is the 
maximal element by definition. □ 

Next we consider the subalgebras + e („ / L(S )) and y(^(S)). First, y(S) C ^V(S), hence y(jV(S)) = 
y(S) and Proposition EU] applies without modification to jV(S). 

Corollary 9.5. Let S be a c-lattice. The set y(jP(S)) = y(S) forms a bounded distributive sublattice of 
jP(S). It is a boolean algebra whenever S is. 


18 


Next we consider the subalgebra of vectors. First we derive a variant of Tarski's rule from relation 
algebra (cf. fl7l ). 

Lemma 9.6. LetR£^(X). Then R fl l n ^ l =>■ l w ■ ((i? D l w ) • 1^) = 1 T . 

As common in relation algebra we keep Tarski’s rule separate from the other axioms since it is not even 
a quasi-identity. We can use it to prove the following fact. 

Lemma 9.7. Let S be a c-lattice in which Tarski’s rule and d(x) ■ (y ■ z) = ( d(x ) • y) ■ z hold. Let x,y £ 
y(jT{S)). Then 

Jo, if y = 0, 
x ■ y = < 

[x, ify^ 0. 

Proposition 9.8. Let S be a c-lattice in which Tarski’s rule and 

( d{x ) n d(y)) ■ z = d(x) ■ z n d(y) ■ z, (d(x) ■ y) ■ z = d(x) ■ (y ■ z) 

hold. Then Y{^V{S)) is a sub-c-lattice of bounded by 0 and l w , in which 0 is a left annihilator and 

parallel composition is meet. 

Proof. We need to verify the closure conditions 0 • = 0 and 1^-1^ = 1„ as well as (x + y) ■ 1„ = x + y, 

(x n y) ■ Itt = x n y, (x ■ y) ■ 1„ = x ■ y and (x|| y) ■ l n = x\\y for all x,y £ PT(S), and x\\y = x n y for all 
x, y £ PT(S). □ 

Note that nreet-closure is enforced by assuming (d(x) nd(y)) ■ z = d(x) ■ zUd{y) ■ z. This and all additional 
assumptions on multirelations used in this section have, of course, been verified in the nrultirelational model. 
Whether stronger properties hold in situations where sequential composition is associative remains to be 
seen. 


10 Isomorphisms in c-Lattices 


This section finally verifies the isomorphisms between sequential subidentities, parallel subidentities and 
vectors from Figure Q] and [2] in the context of c-lattices and for their nonterminal elements. 

We also characterise the structure that is preserved by these mappings. Given the results on subalgebras 
from the previous section it cannot be expected that sequential composition is preserved. This is indeed 
confirmed by the multirelational counterexamples in this section—apart from one exception. The other 
c-lattice operations are preserved. In particular, all isomorphisms are constructed from the operations and 
constants of c-lattices, so that their properties can be checked within the c-lattice setting by simple equational 
reasoning. 

Proposition 10.1. Let S be a c-lattice. 

1. The maps (-U) and d as well as (||f7) and (-1^) in the following diagrams form bijective pairs; the 
diagrams commute. 


Y{S) 



y(s)— - ^y(s) 

j -S"IS) 


y(s) 



Y{S) — - *-V{S) 

1 r(s) 


-T(S) 



y(s) — -- y(s) 

tsr(s) 


y{s) 



v{s) - r(S) 

1 r(s) 
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2. Therefore S ) “ &(S) “ y(5). 


Proof. The isomorphism between d(S) and S ) has been verified in Proposition l4.4l moreover d(S) = S fi {S) 

by Lemma 17.31 It remains to check that 

d(d(x) ■ U) = d(x), d{{x ■ l w )||t/) • U = {x ■ 1^)11 C7, 

((* • Mil U) ■ in = x ■ i n , (((* • i n )\\u) • Mil U = ( x • MIM 

□ 

Proposition 10.2. Let S be a c-lattice. 

1. The maps (T w ) and d, (-1^) and d, and (||l- 7 r) o,nd (-1^) in the following diagrams form bijective pairs; 
the diagrams commute. 





y{pns)) — -- y(pK(s)) 

1 


y{pp{s)) 



?{jp{s)) — -- 

1 sr(jrts)) 


n^{S)) 



y^s)) — -- y^(s)) 

i, n-#{s)) 

n^ns)) 



?{PT{S)) - -- £T{S) 

2. Therefore y^Y{S)) “ £T(^(S)) = Y{PY{S)). 
Proof. The following conditions must be checked. 

d(d(x n M • = d(x n Mi 

d(d(x n M ■ M = d(x n M> 

(((x n 1^) * 17 r) || 17 r) ' 17 r = (x n l^) * Ittj 


y{pp{s)) 



r(pr{s)) — -- n^(s)) 

tr(^K(s)) 

n^(s)) 



■if. v(s))— -- n^(s)) 

J-r(^K(S)) 


d(^{x FI Itt) * 1^) * 1-7T — [x Id Itt) ' 1 7ri 

d(^{x FI Itt) * lir) ' Lr — (x Id Itt) ' I 7 D 
(((X dl ff ) • Itt) • MIM = (X dTjr) • 1„. 


□ 


We now investigate structure preservation of these bijections. 


Proposition 10.3. Let S be a c-lattice. The maps 

(M : ^(S) -t &(S), 

(-U) : y(S) -»• r{S), 

(II U) : <?(S) ^ ns), 


d: 3 T{S)^y{S), 
d-.y(s) ^ y{s), 

(•Itt) : r(S) -► &(S) 


preserve addition, meet and parallel composition, minimal elements and maximal elements of the subalgebras. 
The last map also preserves sequential composition. 
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Proposition 10.4. Let S be a e-lattice. The maps 


(■ 1 *) : V{S )) d : S )) -> y{ZY{S)) 

(•!*) : y{^(S)) -)• r(^(5)) d : 'T(^(5')) ->■ ^(^(5)) 

(IIU) : ^(yT(S)) 1^(5)) (-I,) : y(^K(5)) -> <^(^(5)) 

preserve addition, meet and parallel composition, minimal elements and maximal elements of the subalgebras. 

We complement these results by refuting preservation of sequential composition for the remaining maps 
between sequential identities, subidentities and vectors. 

Lemma 10.5. 1. No isomorphism in ^/L(X) except (-1^) preserves sequential composition. 

2. No isomorphism in jV(fX) preserves sequential composition. 

Proof. • Let R = {(a, {a})} and 5 = 0, both of which are in AX{JT{X)) and X(^Y(X)). Then 

(R ■ 5) • l v = 0 C {(a, 0)} = (R ■ U) ■ (S ■ l n ), 

(1? • 5) • £/ = 0 C {(a, 0)} = {R ■ U) • 0 = {R ■ U) • (5 • U). 

• Let R = {(a, 0)} and 5 = 0, both of which are in tZ(yY(X)) and Y{X). Then 

d(R • 5) = d{R) = {(«, {a})} D 0 = d{R) ■ 0 = d{R) ■ d(S), 

(R ■ S)\\U = {(a, 0), (a, {a})} D R = ( R\\U ) • 0 = (R\\U) • (S\\U). 

• Let R = {(a, {a}), (a, {&}), (a, {a, &})}, 5 = {(6, {a}), (6, {&}), ( b , {a, 6})}, both of which are in 'f (jY (X)). 
Then d{R ■ S) = d(R) = {(a, {a})} D 0 = d(R) ■ d(5). 

□ 


11 Terminal and Nonterminal Elements 

Algebras of multirelations share some features with algebras of languages with finite and infinite words. Both 
form trioids with parallel composition corresponding to shuffle in the language case. However, (X||F) • Z C 
(X ■ Z)\\(Y ■ Z) does not generally hold in languages (consider X = {a}, Y = { 6 } and Z = {cd}), the algebra 
of sequential subidentities is trivial (it consists only of the empty and the empty word language), and the 
notion of vector does not seem to make sense. 

For an alphabet E, a finite word language is a subset of E*, the set of all finite words over E. An 
infinite word language is a subset of E“, the set of all strictly infinite words over E. Languages in which 
finite and infinite words are mixed are subsets of E°° = E* U E“. One can then use fin : 2 s — > 2 s and 
inf : 2 s —> 2 s to project on the finite and infinite words in a language. 

Analogously, the maps fin to r : „#(X) —> tY(X) and inf to v : ,yM(X) — > jV(X) defined by 

r = Aa;. x ■ 0, v = Ax. ink 

project on the terminal and the nonterminal part of a multirelation. More abstractly, we define such functions 
r : 5 —> and v : 5 —» zY(S) on a c-lattice 5. 

Many properties of fin and inf (cf. [25] ) are shared with v and r , but there are also differences. 

Lemma 11.1. In every c-lattice, 

1. the functions r and v are interior operators, and therefore retractions, 

2. t{x) + v{x) = x and t(x) fl v(x) = 0, 
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3. t(v(x)) = 0 and v{t(x)) = 0. 

The properties t(x) < x, t(t(x)) = t(x ) and x < y =>• t(x) < r{y) must be verified to show that r is an 
interior operator, and likewise for v. The next lemmas are essentially transcriptions of properties verified in 
the proofs of Proposition 19.21 and 19.41 

Lemma 11 . 2 . In every c-lattice, 

1. t( 0 ) = 0 and i/(0) = 0, 

2. t( 1 ct ) = 0 and v(l<r) = 1 a , 

3. r(l ff ) = and = 0, 

4- t( 1 w ) = 0 and v(l n ) = 1^, 

5. t(U ) = l ff and v{U) = l v . 

Lemma 11.3. In every c-lattice, 

1. r (x + y) = r(x) + r(y) and v(x + y) = u(x) + v(y), 

2. t(x n y) = t(x) n r(y) and v{x n y) = v{x) n v(y), 

3. r(x\\y) = t(x)|| r(y) and v{x\\y) = d(r(x)) ■ v{y) + d(r(y)) • v(x) + v(x)\\v{y), 

4■ t(x ■ y ) = t(x) + v(x) ■ r(y). 

Lemma lll.2l and lll.3l show that r and v preserve the constants, addition and meet. Moreover, r preserves 
parallel composition. The next lemma refutes such a property for the remaining operations. 

Lemma 11.4. 1. There are R, S £ (X) such that t(R ■ S ) ^ t(R) ■ r(S). 

2. There are R, S £ M(X) such that n(R. ■ S) ^ v(R) ■ o(S). 

3. There are R,S £ ^(X) such that j/(l?||5) ^ z'(.R) ||i/(S). 

Proof. 1. If R = {(a, 0), ( 6 , {a})} and S = {(a, 0)}, then t(R ) • t(S) = S C R ■ l w = t{R ■ S). 

2. If R = {(a, {a, b})} and S = {(a, 0), ( 6 , {a, &})}, then v{R-S) = R^%= v{R) • v(S). 

3. If R = {(a, {a})} and S = {(a, 0)}, then i/(l?||S) = R ^ 0 = i'(R)\\iy(S). 

□ 

We do not have a compositional characterisation of v(x-y). On the one hand, v{x-y) = v(v{x) -y), but on 
the other hand, without left distributivity, this cannot easily be decomposed further. In the multirelational 
model, elements (b, 0) £ S can obviously contribute to pairs (a, A) £ R ■ S with 4^0. This makes the 
situation different from the language case, where fin(X • Y) = fin(X) • fin(T). Interestingly, however, this 
does not rule out simple decomposition theorems for sequential and parallel composition. 

Lemma 11.5. In every c-lattice, 

1. x ■ y = t{x) + v(x) • y, 

2. x\\y = v(x)\\v(y) + d(v(x)) ■ r(y) + d{v{y)) ■ t{x) + r(x)||r(y). 

It seems natural to identify elements of c-lattices if they coincide on their terminal or their nonterminal 
parts. 

Lemma 11.6. Let S be a c-lattice. Then S) and ^(S) form order ideals. 
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It is straightforward to check that x £ &{S) and y < x imply y £ &(S), and that x,y £ &{S) imply 
x + y £ J^(S), where & is either IX or . 

Verification and refutation of algebraic ideal properties is important as well. 

Lemma 11.7. In every c-lattice, 

1. x € S ) implies x\\y £ PT(S), 

2. x £ ?X(S) implies x ■ y £ f?(S) and y ■ x £ &(S). 

Lemma 11.8. There are R £ £?{X) and S £ yf'(X) withR ■ S £ X), S ■ R £ </K(X) and i?||S ^ &(X). 

Proof. Let R = {(a, 0)} and S = {(a, {a})}. Then R- S = S ■ R = R is not in Jf (X) and R\\S = S is not in 

3T(X). □ 

Define the relations on a c-lattice S by 

x Et y r(x) < r(y), x y <£> v(x) < v(y). 

Lemma 11.9. In every c-lattice, 

1. the relations C T and C„ are partial orders, 

2. xQ T y implies x + z Q T y + z, x n 2 C r y n z, x\\z C r y\\z and z ■ x Q T z ■ y, 

3. x y implies x + z Q u y + z, x n 2 C„ y n z and x ■ z Q v y ■ z. 

The missing precongruence properties are justified by the following counterexamples. 

Lemma 11.10. 1. There are R,S,T £ ^f(X) such that t(R) C t(S) and t(R ■ T) % t(S ■ T). 

2. There are R,S,T £ ^(X) such that v{R) C v(S) and v(R\\T) ff. v(S\\T). 

3. There are R,S,T £ ^(X) such that v(R) C v(S) and v(T ■ R) v(T • S). 

Proof. 1. Let R = {(a, {a})}, S' = 0 and T = {(a, 0)}. Then 

t(R) = T (S) = t(S T) = 0 C T = t{R ■ T). 

2. Let R = {(a, 0)}, S = 0 and T = {(a, {a})}. Then 

v{R) = v(S) = v(S\\T) = 0 C v{R\\T) = T. 

3. Let R = {(a, 0), (6, {&})}, S = {(&, {&})} and T = {(a, {a, &})}. Then v(R) = i'(S) = S, but v{T ■ R) = 
{(«,{&})} D 0 = ^-5). 

□ 

Similarly, we can define the relations 

x ~ T y = x Er y A y C T x, x y = x y A y x. 

Obviously, therefore, x ~ r y <=> r(x) = r(y) and x y <=> v(x) = v{y). The following facts then follow 

immediately from Lemma 111.91 and 111.101 

Corollary 11.11. In every c-lattice, 

1. the relations ~ T and are equivalences, 

2. x ~ T y implies x + z y + z, x fl z y fl z, x\\z ~ T y\\z and z ■ x ~ r z ■ y, 
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3. x ~j, y implies x + z y + z, x n z y r\ z and x ■ z y ■ z. 

Corollary 11.12. 1. There are R,S,T £ ,/# (X) such that t(R) = t(S) and t(R ■ T) ^ t(S ■ T). 

2. There are R,S,T £ such that v{R) = v(S) and i>(R\\T) ^ is(S\\T). 

3. There are R,S,T £ such that v(R) = v{S) and v(T ■ R) =£ v(T ■ S). 

These results confirm our intuition about terminal and nonterminal elements. First, parallel composition 
with a nonterminal elements yields a nonterminal element and sequential composition with a terminal element 
yields a terminal element, whereas sequential composition with a nonterminal element does not necessarily 
yield a nonterminal element and parallel composition with a terminal element does not necessarily yield 
a terminal element. Second, if two multirelations agree on their terminal elements, then their parallel 
compositions with a third element and their sequential composition from the left with a third element also 
agree on their terminal elements, whereas this need not be the case for sequential composition from the 
right. If two multirelations agree on their nonterminal elements, then their sequential compositions from the 
right by a third element agree on their nonterminal elements, but this need not be the case for sequential 
composition from the left or parallel composition. 

12 c-Quantales and Finite Iteration 

Iteration is best studied in a quantale setting where various fixpoints exist. In fact, in our Isabelle formali¬ 
sation, many of the results in this and the following section are obtained in the weaker settings of c-Kleene 
algebras and c-w-algebras Eh but quantales provide a unifying generalisation. In addition, the least and 
greatest fixpoints corresponding to finite and infinite iteration exists in quantales, whereas they need to be 
postulated in the weaker algebras. 

Let (L, <) be a complete lattice. We write for the supremum of the set X C L and for its 
infimum. In particular, we write x + y for the binary supremum and x\ly for the binary infimum of x,y £ L. 
We write U = L for the greatest and 0 = 0 for the least element of the lattice. 

A proto-quantale is a structure (Q, <, ■) such that (Q, <) is a complete lattice and 

x<y^z-x<z-y, C^ d Xj) ■ y = 'Y'jxj ■ y). 

iei id 

A proto-quantale is unital if it has a unit of multiplication 1 which satisfies 1 • x = x and x ■ 1 = x. It is 
commutative if multiplication is: x ■ y = y ■ x and distributive if the underlying lattice is distributive. 

A quantale is a proto-quantale with associative multiplication, x ■ (y ■ z) = {x ■ y) ■ z, and the following 
distributivity law holds: 

x-(52vi) = ^2{x-Vi)- 

iGl i£l 

A proto-bi-quantale is a structure (Q, <, •, ||, 1 CT , fo) such that (Q , <, ■, l a ) is a unital proto-quantale and 
(Q , <, ||, Itt) a unital commutative quantale. Obviously, every pb-quantale is a proto-trioid. A c-quantale is 
a proto-bi-quantale which is also a c-lattice. 

Theorem 12.1. C, •, ||, 1 CT , l ff ) forms a boolean c-quantale. 

All axioms except for the infinite distributivity laws with respect to sequential and parallel composi¬ 
tion have either been verified in Proposition 17.21 or they follow directly from the underlying set structure. 
Verification of these distributivity laws is straightforward. 

It follows from general fixpoint theory that all isotone functions on a quantale (as a continuous lattice) 
have least and greatest fixpoints. In addition, least fixpoints can be iterated from the least element of the 
quantale up to the first infinite ordinal whenever the underlying function is continuous, that is, it distributes 
with arbitrary suprema. Similarly, greatest fixpoints can be iterated from the greatest element of the quantale 
whenever the underlying function is co-continuous, which, however, is rarely the case. 
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Furusawa and Struth m have studied the least fixpoints of the function 


F rs = XX. S U R ■ X 

and its instance F R = F R = XX. l a U R ■ X in the concrete case of multirelations. Here we study them 
abstractly in c-quantales. We write x* = yF x and x*y = pF xy . 

Our first statement expresses x* in terms of its terminal and nonterminal parts, at least in a special case. 

Lemma 12.2. In every c-quantale in which x ■ (y ■ z) = (x ■ y) • z holds for all elements, 

x* = v{x)* ■ (1 fj + r(x)). 

Proof. For x* < v(x)*(\ a + t(x)) it suffices to show that that v(x)* ■ (1 CT + t(x)) is a pre-fixpoint of F x . 
In addition, v(x)*(l a + t(x)) < x* follows from results from [TO] , namely that ( x*x*) < x* (because 
x* + x ■ x* < x*) and that x* ■ x* < ( x*x*) (by fixpoint fusion), whence x* ■ x* < x*. □ 

Next we characterise the terminal and nonterminal parts of x*. 

Lemma 12.3. In every c-quantale, 

1. t(x)* = l a + t(x), 

2. t(x*) = v(x*) ■ t(x) if x ■ (y ■ z) = (x ■ y) ■ z, 

3. v{x)* < v{x*), 

4. r( v{x)*) = 0 and v{v{x)*) = v{x)*, 

5. v{t{x)*) = 1 (j and t(t(x)*) = t(x). 

Of course the lack of characterisation for v(x*) owes to that for v(x ■ y). 

Lemma 12.4. There is a R € (X ) such that v{R*) 2 V {R)* ■ 

Proof. Let R = {(a, {b, c}), (&, 0), (c, {d})}. Then (a, {d}) € R* and (a, {d}) € u(R*), but (a, {d}) ^ v(R)*. 

□ 

Next we relate x* with notions of finite iteration. For multirelations, Peleg [28] has shown that F R and 
F R s are not necessarily continuous, whereas in the externally image finite case, where for each (a, A) £ R 
the set A has finite cardinality, 

R* = yF R = F* r (V>) = (J F*(0). 

ie N 

In addition, Furusawa and Struth m have defined 

r( 0) = R (i+ 1) = l a UR. R(i) t R(*) = (J R(i) 

ie N 

and shown that, in the externally image finite case, R* = R(*\ Finally, Goldblatt [14] has defined 

i?l°l = l CT , = 1 CT u R- R [n \ R [ * ] = 1J R [n] . 

new 

We now compare these iterations in the c-quantale setting. We call a c-quantale externally image finite 
if x* = x . First we prove a technical lemma. 

Lemma 12.5. In every proto-dioid, 

1. x^ < x( n+1 \ 
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2 . xW < a;[” +1 ], 

3. (1 a + x) n < (lo- + x) n+1 , 

4■ {la + x) n+1 = l a + X ■ {l a + x) n . 

The next lemma shows that Goldblatt’s iteration coincides with Peleg’s, and it gives a simpler charac¬ 
terisation of the former. 

Lemma 12 . 6 . In every c-quantale, 

1. sW = 

2- * W =£„<*(!" +*)"> 

3. v{x)^ = £„ eN (l CT + v{x)) n . 

Obviously, (3) follows from (1) and (2). Therefore, the characterisation of a;* can sometimes be simplified 
in the externally image finite case. 

Corollary 12.7. In every c-quantale in which x ■ {y ■ z) = (x ■ y) ■ z holds for all elements, 

x {*) = + v(x)) n ) ■ {la + t{x)). 

n(E N 

13 c-Quantales and Infinite Iteration 

This section studies three additional notions of iteration for multirelations: a unary strictly infinite iteration 
R u , a possibly infinite iteration R°° and a binary possibly infinite iteration R U S. These arise as the greatest 
fixpoints of the function 

F rs = XX. S U R ■ X 

and its instances Fr = F R $ = XX. R-X and Fri o = XX. laUR-X. More precisely, RP = vFr, R°° = pFri^ 
and R U S = pFrs and these fixpoints exist due to the complete lattice structure of {X) and the fact that 
the three functions under consideration are isotone on that lattice. 

As in the cases of the least fixpoints hFr and yF R s, we wish to relate the greatest fixpoints. We can use 
the following fusion law for greatest fixpoints. 

Theorem 13.1. 1. Let f and g be isotone functions; let h be a co-continuous function over a complete 

lattice. If ho g > f o h, then h{ug ) > vf. 

2. Let f, g and h be isotone functions over a complete lattice. If f o h > hog, then vf > h{vg). 

Corollary 13.2. Let R, S € (A). Then R u U pF R s Q vFr$- 

The proof uses Theorem 113.11 In fact, we have also proved a corresponding abstract statement in the 
context of proto-quantales with Isabelle/HOL [1II . However, the inequality is strict. 

Lemma 13.3. There are R, S € ,/4!{X) such that vFrs 7 ^ R u U pF R s- 

Proof. Consider the multirelations R = {(a, {6, c}), (6, {a})} and S = {(c, {a})} over the set X = {a,b,c}. 
Then R u = 0 can be checked easily. 

Moreover, R*S = {(a, {a}), (a, {b, c}), {b, {a}).{b, {b, c}), (c, {a})}- This can be checked by verifying S U 
R ■ {R*S) = (R*S). It follows that 

R ■ ( R*S ) = {(a, {a}), (a, {b, c}), {b, {a}), {b, {b, c})}. 

Finally, RP S = {(a, S), {b, S), (c, a)} for all SCI, which can be checked by verifying S U R ■ {R U S) = 
{R U S). In particular, R ■ {R“S) = {{a, S), {b, S)}. □ 
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This counterexample is not related to the absence of associativity, but to the lack of left distributivity. 
There is therefore no hope that the situation can be resurrected for tests and modalities, as in the case of 
the star m , 

As a consequence, the greatest fixpoint R^S cannot be reduced to a formula involving the greatest 
fixpoint RP. At the level of c-quantales we obtain the fixpoint axioms 

x u y < y + x ■ (x^y), z<y + x- z=>z< x u y. 

Since Fr = Frq by definition, this yields x u = x u 0 and the following unary w-unfold and w-coinduction 
axioms as special cases: 

x u < x ■ x “, y<x-y^y<x u . 

These can be used for deriving the following properties. 

Lemma 13.4. For every c-quantale, 

1. x u = x ■ x u , 

2. x < y =>• x u < y u . 

Lemma 13.5. For every c-quantale, 

1 . 0 “ = 0 , 

8. K = 1*, 

3. 1" = X = U“ = U, 

The fact that 1“ and 1^ are U, instead of l v , is not entirely satisfactory: one would not assume that the 
iteration of an element JF{S ) leads outside of this set. 

The characterisation of terminal parts of elements is still satisfactory, whereas for nonterminal elements, 
the lack of characterisation for products makes the situation less pleasant. 

Lemma 13.6. In every c-quantale, 

1. t(x) < t(x u ), 

2. t{x) u1 = t{x), 

3. T(Vr < t(x u ). 

Lemma 13.7. In every c-quantale, v{x)“ + v{x)* ■ t[x) < x u . 

The converse implication is ruled out by the counterexample in Lemma 113.31 
Next we briefly compare Fr\ a with Frs , that is, R°° with R U S. 

Lemma 13.8. There are R,Sg (X) such that ( R U S ) ^ R°° ■ S. 

Proof. In the above counterexample, R U S = {(a, S),(b, S),(c,a)} for all S C X. However, R°° = R* = 
{(a, {a}), (a, {b, c}), (6, {&}), (6, {a}), (6, {b, c})} and therefore R°° ■ S = R* ■ S = 0. □ 

Here we cannot even obtain R°° ■ S C S) by fixpoint fusion, since this requires co-continuity of 
Xx. x ■ S, that is, (Die/^i) ' $ = D' ^)j which does not hold. Hence this time the failure of equality 
owes to the lack of associativity and co-continuity. Note that ( R U S ) need not be equal to R°° ■ S for binary 
relations for similar reasons. In this case, x°° = x u l a by definition of Fri^ and Frs, which yields the unary 
laws 

x°° <\ a + x ■ x°°, y<l a + x- y=>y< x°°. 

Finally, following [7], we study a notion of greatest fixpoint on c-quantales which models the set of all 
states in x from which either 0 is reachable or infinite x-chains start. Obviously, the set of domain elements 
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is the complete distributive lattice or boolean subalgebra of the sequential subidentities. The function 
A p. q + ( x)p is isotone and thus has a least (binary) fixpoint ( x)*q which, by the results of [7], is equal to 
( x*)q. In the context of c-monoids, ( x)p = d(x ■ p). 

For the same reasons, the function A p. (x)p has a greatest fixpoint which we denote Vx. It satisfies the 
unfold and coinduction axiom 

Vx < (x) Vx, p < (x)p => p < Vx. 

We can use fixpoint fusion again and try to derive the rule 

p < (x)p + q => p < Vx + ( x*)q. 

We must instantiate / = A y.(x)y + q, g = A y. ( x)y and h = Ay. (x*)q. Then 

h(g(y)) = ( x)y + (x*)q = (x)y + q+ (x){x*)q < (x)(y + {x*)q) + q = f(h(y)). 

Then greatest fixpoint fusion yields once more 

Vx + (x*)q < vf , 

but the above counterexample excludes equality without (x)(p + q) = (x)p + (x)q. 

In general, Vx is the largest subidentity p which satisfies p = d(x ■ p). Hence p models the largest set 
of states from which executing x either leads to 0, or it leads back into p in the following sense. For each 
element in p there exists a set A which is reachable via X, and all elements of A are in p. This means that 
from all states in p indeed either infinite executions with x are possible or 0 is reachable. 

In this case, at least an explicit definition of v(x) u is possible. 

Proposition 13.9. Let S be a c-quantale. If x ■ ( d(y ) • z) = (x • d{y )) • 2 for x,y,z G S, then 

u(x) u = V(i/(x)) • U. 

As in Lemma 113.51 the infinite iteration of nonterminal elements contains terminal parts, which seems 
undesirable, but unavoidable in this context. 

Corollary 13.10. Let S be a c-quantale. If x • ( d(y) ■ z) = (x • d(y)) ■ z for all x, y, 2 G S, then 

V(t'(x)) • U + i'(x)* • r(x) < x w . 

At least for nonterminal multirelations, the situation is the same. In the general case, terminal parts 
contribute to infinite iteration, too. The absence of associativity and distributivity makes the situation more 
complicated. Separation of infinite iterations into terminating and nonterminating parts yields at least an 
underapproximation. Using V also yields sharper properties for nonterminal elements. 

Lemma 13.11. Let S be a c-quantale. If x ■ ( d(y ) • z) = (x • d(y)) ■ z for all x,y,z G S, then 

1. iy{iy(xY) = V(i/(x)) - l w , 

2. t(v{x) u ) = V(i/(x)) • 1„. 

Lemma 113.111 21 clearly shows that the infinite iteration of a nonterminal multirelation has a terminal 
and a nonterminal part. Hence there is no direct relationship between strictly infinite iteration and terminal 
or nonterminal elements. This is in contrast to the language case, where inf models infinite or divergent 
behaviour. The latter, according to Lemma |13.91 is captured by V and or U in the multirelational model, 
which is similar to the relational case. As suggested by alternating automata, terminal parts of a multire¬ 
lation rather model success or failure states, or winning or loosing states in a game based scenario, but not 
nontermination. 

The final part of this section sets up the correspondence between infinite iteration and notions of deflation- 
arity and wellfoundnedness, as they have been studied in the relational model by m- We call an element x 
uj-trivial if x“ = 0, deflationary if Vy. (y < x-y => y = 0) and wellfounded if Vy. (d(y) < d{x-y ) =>• d(y) = 0). 
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Proposition 13.12. Let x be an element of a c-quantale. The following statements are equivalent: 

1. x is wellfounded; 

2. x is deflationary; 

3. x is ui-trivial. 

In this respect, the behaviour of relations and multirelations is the same. 


14 Counterexamples 

This section collects some counterexamples for multirelations. The second set, in particular, rules out variants 
of interchange laws, as they arise for instance in the context of monoidal categories, in shuffle languages or 
for partially ordered multisets ei na [16] . More abstractly, such laws have been considered in concurrent 
Kleene algebras [El- 

Lemma 14.1. There exist multirelations R,S,T £ ^(X) such that 

1. £ R, 

2. R% i?||S, 

3. i?||S'n J R||T £ R\\(SnT), 

4. (R ■ S) ■ T £ R ■ (S ■ T), 

5. {R-T)\\{S-T)%{R\\S)-T, 

6. ( R • S)||(i2 -T)%R- (S||T), even for R\\R C R, 6'||S’ C S and T\\T C T. 

Proof. 1. Let R = {(a, {a}), (6, {6})}. Then R\\R = {(a, {a}), (6, {6}), (a, {a, b})} £ R. 

2. Let R = {(a, {a})} and S = {(a, {a, 6})}. Then R % S = R\\S. 

3. Let R = {(a, {b, c})}, S = {(a, {&})} and T = {(a, {c})}. Then 

R\\S n R\\T = i2||S = R\\T = R D Q) = S HT = R\\(S nT). 

4. A counterexample has been given in m- 

5. A counterexample has again been given in [lOl . 

6. Let R = {(a, {a}), (a, 0 )}, S = {(a, {a})} and T = 0 . Then 

R ■ (S||T) = {(a, 0 )} C {(a, {a}), (a, 0 )} = (R ■ 5)||(i? • T). 

It is straightforward to check that R\\R C R , 5||5 C S and T||T C T. 

□ 

Our next counterexamples explains the difference between algebras of multirelations and concurrent 
Kleene algebras. The latter are based on a full sequential dioid and a commutative one, with shared units 
of sequential and concurrent composition. The sequentiality-concurrency interaction is captured by the 
interchange law 

N|aO • (y\\z) < (w ■ y) II(x • z). 

From this law, the small interchange laws (x|| y) • z < x\\(y ■ z), x ■ ( y\\z ) < (x ■ y)\\z and x ■ y < x\\y are 
derivable in the presence of a shared unit for sequential and concurrent composition. These laws hold, 
in particular, in certain pomset languages and in word languages under the regular operations and with 
concurrent composition interpreted as shuffle. However, the next lemma refutes all variants of interchange 
between sequential and concurrent composition. We write R >c S if R <2 5 and Rf!>S. 
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Lemma 14.2. There exist R,S,T,U £ ..<# (X) such that 


1. (R\\S)-(T\\U)^(R-T)\\(S-U), 

2. (5||5)-Tx 5||(5-T), 

3. R ■ {S\\T) - {R ■ S)\\T, 

4. 5-5x5||5. 

Proof. 1. Let R — {(a, {a}), ( b , {a, b})} and S = {(a, {a}), ( b , {a})}- Then 

(R\\S) • (R\\S) = {(a, {a, b}), (b, {a, b})} x {(a, {a})} = (R • R)\\(S ■ S). 

2. Let R = {(a, {a, 6})} = S and T = {(a, {a}), ( b , {a})}. Then 

(R\\R) ■ T = R ■ T = {(a, {a})} x R = 5||(5 • T). 

3. Let R = {(a, {a, &})}, S = {(a, {a}), (6, {a})} and T = {(a, {a}), (b, {a, &})}. Then 

R • (5||T) = R ■ T = R x {(a, {a})} = (R ■ 5)||T 

4. Let R = {(a, {a, 6})} and S = {(a, {a}), (6, {a})}. Then 

R - S = {(a, {a})} x {(a, {a, 6})} = R\\S. 

□ 


15 Remarks on Up-Closed Multirelations 

This section briefly discusses the relationship between general multirelations a la Peleg and the up-closed 
multirelations studied by Parikh and others. As explained in Section [3] a multirelation is up-closed if 
(a, A) £ R and A C B imply (a, B) £ R. This is the case if and only if R = R\\U. 

For this special case, Parikh has defined sequential composition as 

(a, A) £ 5; S <£> 3B. (a, B) £ R A Mb £ B. (6, A) £ S. 

This corresponds to Peleg’s definition with / instantiated to A x.A. Peleg’s definition, however, does not 
preserve up-closure. Let R' = {(a, 0 )}, R = R'\\U and 5 = 0 . Then 5,5 £ 4fc(X), whereas R ■ S = R' 0 
4iy(X). Hence Peleg’s definition does not simply specialise to Parikh’s when multirelations are up-closed. 
The next lemma captures the precise relationship. 

Lemma 15.1. Let R,S £ Jt(X). Then R; {S\\U) = (R ■ S)\\U. 

^ (||t/) 

JZ(X) x J((X) ——-^ JZ(X) x <%{X) 


y/(x) -► &(x) 

(lit/) 

Consequently, Parikh’s sequential composition preserves up-closure, 

(5; (5||t/))||t/ = (R ■ S)\\U\\U = (R • S)\\U = 5; (5||J7), 
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and join. Moreover, Parikh composition of up-closed multirelations can be simulated by Peleg’s as (R\\U); (<Sj|f7) 
((i?||t/)-(5||C/))||C/._ 

Parikh composition of up-closed multirelations is associative. Hence it might be possible to derive this 
property in c-lattices, but it does not seem straightforward, and specific associativity laws for Peleg’s com¬ 
position in the presence of up-closed elements might be needed. A deeper investigation is left for future 
work. 

The case of parallel composition in the up-closed case is very simple in comparison. Rewitzky and 
Brink [30] have studied parallel composition of up-closed multirelations under the name power union and 
shown that it simply yields a contrived definition of meet. We can reproduce this result in the setting of 
c-lattices. 

Lemma 15.2. In every c-lattice, 

1. x\\Uny\\U=(x\\U)M\U), 

2. (x\\UMx\\U)=x\\U, 

5. (x\\y)-(z\\U) = (x-(z\\U))\\(y(z\\U)). 

Corollary 15.3. If R,S G X ) are up-closed, then -RUS = RC\S. 

By this result, up-closed multirelations are also meet closed, and therefore closed under the usual opera¬ 
tions, which is well known. 

Our results for c-lattices and c-quantales hold automatically in the up-closed case, interpreting parallel 
composition as intersection and translating Peleg’s sequential composition into Parikh’s. In the up-closed 
case, in particular, the interaction of sequential and parallel composition becomes a sub-distributivity law for 
sequential composition over meet, which follows directly from the greatest lower bound properties of meet 
and isotonicity of sequential composition. 

However there are differences as well. First, l^H U = U, hence the up-closure of the unit of parallel 
composition is U , which is consistent with U being the unit of meet. More generally, up-closure turns 
parallel subidentities into vectors and therefore IX {X) = X(X) in that context. Second, the definitions of 
subidentities, of domain as d(R) = (R- 1 W )||1 CT , and of the corresponding box and diamond modalities, do not 
carry over directly to the up-closed case. In particular, the definitions of the sequential unit and of sequential 
subidentities are now based on the G-relation instead of the function Aax{:c}. We leave a reconstruction of the 
subalgebra of up-closed elements in the context of c-lattices for future work as well. In particular, Parihk’s 
game logic can be based on the domain and antidomain axioms for pre-dioids given in [8] and linked with 
concepts from previous sections.. 

A duality between up-closed multirelations and sets of isotone predicate transformers has already been 
noticed by Parikh [23] . By this isomorphism, sequential composition of up-closed multirelations is associated 
with function composition of monotone predicate transformers. Obviously, a similar isomorphism between 
Peleg’s multirelations and a class of predicate transformers cannot exist since sequential composition of 
multirelations is not associative. Otherwise, a non-associative operation would have to be defined on predicate 
transformers, which may not lead to a natural concept. 


16 Conclusion 

We have investigated the structure and algebra of multirelations, which model alternation or dual nondeter¬ 
minism in a relational setting, and which form the semantics of Pcleg’s concurrent dynamic logic, extending 
a previous algebraic approach to concurrent dynamic algebra. Apart from the derivation of a considerable 
number of algebraic properties which arise from the union, intersection, sequential and parallel composition, 
and finite and infinite iteration of multirelations, we have also studied the structure of various subalgebras 
and the relationships between them, as illustrated in the diagrams of Figure [2] In particular we found that 
a domain operation, which is important for these investigations, can be defined explicitly in this setting. 
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The operations on multirelations are rather complex; their interactions are intricate. Sequential compo¬ 
sition, for instance, requires a higher-order definition, its manipulation often depends on the axiom of choice. 
Algebraic axioms similar to Tarski’s relation algebra are therefore desirable to hide this complexity. To 
address this we have developed algebraic axiom systems ranging from c-monoids to c-quantales and carried 
out most of our work at that level. At the moment, these axiom systems are less compact than those for 
up-closed multirelations or even relation algebra. It seems that much of the power of relation algebra comes 
from the operation of conversion, to which we do not know a multirelational counterpart. There is certainly 
scope for completing, revising and perhaps simplifying our axioms. 

Hence, from a mathematical point of view, more concise and comprehensive axiom systems seem de¬ 
sirable and questions such as representability, axiomatisability, and decidability at least of fragments are 
interesting—the class of representable relation algebras, which are isomorphic to algebras of binary rela¬ 
tions, is not finitely axiomatisable [19, and a similar result might be expected here. Other directions for 
research include the investigation of the up-closed case in relationship with c-lattices and c-quantales, the 
study of other classes of multirelations in which sequential composition is associative, the algebraic recon¬ 
struction of Parikh’s game logic and the association of multirelations with predicate transformer algebras. 
Beyond that, a reference formalisation of multirelational algebras in Isabelle, including their modal variants 
such as dynamic and game logics, has been developed in parallel to this article m- Its use in the formal 
analysis of games and the verification of computing systems with dual nondeterminism are next steps towards 
taming multirelations. 
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